Monday, September 18, 2017

This blog post goes through what is required to get Windows 10 Enterprise Edition 1703 ready for deployment in an enterprise environment with Internet Explorer.

In Windows 10 Enterprise Edition 1607, a common practice to prepare the image for deployment was to create a custom default profile. This was done by creating a temporary user account on the base image and customizing it such as removing edge, store and windows mail from task bar and removing modern apps from start menu tiles. The profile of this temporary user would then be used to create a new "Default profile" under C:\Users and the old profile would generally be renamed to something like Default.old or deleted entirely.

In Windows 10 Enterprise Edition 1703 however, customizing the default profile results in Sysprep failing with an error. This error results in an infinite loop of restarts after the first boot with the following text:

Why did my PC restart?There's a problem that's keeping us from getting your PC ready to use, but we think an update will help get things working again.Here's how to update:

Make sure your PC is plugged in

If this PC uses Wi-Fi, select Next to following instructions to connect to a Wi-Fi network.

If this PC does not use Wi-Fi, insert a network cable to connect to a wired network, and then select Next.

Once you're connected, select Next, and the update will install.

As a result we must perform all modifications to the image without modifying the default profile on the base image as a work around. After leasing with Microsoft, we also do not want the Windows 10 1703 image to ever touch the Internet as it will download additional bloatware and updates during the installation process which can also cause Sysprep to fail.

Below is the documented steps for creating an Enterprise Ready Windows 10 Enterprise 1703 build with the bloatware stripped out and Internet Explorer as standard browser so your legacy Enterprise web applications continue to function.

Step 1 - Create a new Virtual Machine with no Internet

You want to create your image on a virtual machine, not a physical workstation. Do not install VMware Tools or HyperV Integration Services as we want to keep the image clean. The image will eventually be deployed to physical hardware and as a result we do not want such software on the Windows 10 Enterprise build.

Make sure you use all generic virtual hardware, for example on VMware make sure you use E1000E Virtual NIC, not VMXNET3 as this requires custom drivers from VMware Tools.

Install Windows 10 from the latest Windows 10 Enterprise 1703 ISO. Make sure the VM is disconnected from the Internet during the build process to ensure it cannot download updates.

Step 2 - Enable Sysprep Audit Mode

Immediately after the install finishes, enable Sysprep in Audit Mode. You use audit mode to setup the default profile which will affect all users that log into the computer.

Do not generalize the image and simply select reboot.

Step 3 - Unpin Applications from Start Menu and Taskbar

Whilst in Audit mode, go through and unpin all the modern apps from the Start Menu. Also unpin anything you want from the task bar such as store, windows mail etc.

Step 4 - Remove BloatwareNext we want to go through and remove all bloatware from the image. In Windows 10 Enterprise 1607 we could simply achieve this with the following command:

Get-AppxPackage -AllUsers | Remove-AppxPackage

On Windows 10 Enterprise 1703 however we cannot do this or it will break sysprep. As a result we need to specify the individual bloatware applications we wish to remove. Here is the list I used on my image, tailor it for your needs.

To prevent the image from downloading more bloatware when we connect it to the Internet, we need to add the following registry key. This stops it from downloading additional non essential applications considered by many as "bloatware".

Step 9 - Removing Edge and Pinning Internet Explorer with SCCMDespite removing the Edge icon from the image in the default profile, the CopyProfile part of sysprep does not bring the change across. Other start menu changes all stay in place.

Microsoft MVP Jörgen Nilsson has created a script to use in an SCCM task sequence to ensure Edge stays removed. He published this here:

This script however whilst it removes Edge, does not pin Internet Explorer in its place. Here is 2.0 of this script which pin's Internet Explorer in the place of Edge. Please download from the following link:

And as always with SCCM, distribute the package to the distribution points.

Step 11 - Modify the SCCM Win10 Deployment Task Sequence

Next we want to configure the SCCM task sequence to run the batch script we imported to a package. This batch script simply imports a registry key to the default profile and configures a "runonce" to ensure all new users that login to the image run the PowerShell script to modify the task bar.

To run the batch file we want to add a "Run Command Line" option at the end of the task sequence usually as the last step. Simply select the package and add in the command line area "TaskBar.cmd".

This will ensure after new machines are deployed Edge will be removed and Internet Explorer will be put in their place.

Extra StepsI recommend considering to deploy the following group policy settings to your Windows 10 computers: